Coldbird and VF, The Big Interview, Part 2

Coldbird and Virtuous Flame are the talented devs behind CFW Pro, a (Light) Custom Firmware that is progressively becoming the most mainstream CFW solution for most PSP Owners. I had the privilege to discuss with them about their ongoing work a few days ago, here is the second part of this interview.

What was the hardest challenge you had to deal with while working on CFW PRO?

coldbird: Easy one. Haters. Next question please Well… if you want technical aspects, I can give that too. Our very first problem was that the exploit used on 6.20… wasn’t usable on 6.3XWololo: you mean the user mode exploitcoldbird: Nah… the Power Kernel Exploit. We have spent several days trying to figure out how to use the exploit (which was still there) in a way we can get kernel access.Wololo: I see…so it was still here, but not usable in the same waycoldbird: Well… TN was very very lucky… Because Sony’s compiler shifted functions in a way he could easily exploit em.Wololo: I remember VF dealing with many issues, involving the AC Adaptor Virtuous Flame: Yep. Even 5.03 kernel have to find a new way to exploitcoldbird: The alignment of functions (4byte alignment) is very important for TN’s code to work. otherwise he cant trigger a callback In 6.3X… we had the problem that Sony’s compiler shifted functions differently, aligning them in the worst possible way. After 2 days of thinking I had a brilliant idea which even caught my pro-mate over here offguard. I figured out that on PSP Go… it was possible to use the power exploit, to null whole buffer ranges on a 16byte alignment. I then analyzed 6.3X sysmem.prx, to find a suitable exploitable dynamic jal instruction, and we just nulled a user accessible syscall using the psp go exploit i discovered. We then setup a proper wrapper code to pass exploitable arguments and bruteforce a exploitable callback id (required for nulling big ranges of memory in kernel), which allowed us to reach a dynamic jal instruction from a user available sysmem callback. [Kids, I hope you’re taking notes ]

Virtuous Flame: When Davee released his downgrade he used sceKernelUtilsMd5BlockInit for the exploit. It is nicer but we still used our own way to exploit… that took us several days coldbird: this is also the easiest proof that Pro is not a copy. Everyone who is too lazy to look at our assembly is just a random brainless flamer Wololo: ah, that’s a very nice transition, because that was actually my next question

Some people have been claiming that you are mostly “stealing” other people’s work. I’m sure you are aware of these accusations, is there anything you want to reply to that?

coldbird: Well… if we are stealers, then so is every CFW out there… cause we all reversed the m33 sysctrl module at some point. The only component in our cfw which is not ours (coded from scratch) is the m33 iso driver.Virtuous Flame: not only. The usbdevice.prx as well comes from M33coldbird: Yeah. for the usb mounting.Virtuous Flame: During our reversing of older CFW prx, we had the idea to open source a CFW.coldbird: Yeah… the world’s rotting but this is why we wanna go the way PRO is going right now…

Thanks for the transition,you stated that CFW PRO will become open source soon. What’s your goal with open-sourcing? Is that also a way to reply to the “stealing” accusations?

coldbird: Nah… the people saying we steal would still say we do, even if we opensourced it. We are doing it because with every new generation of CFW, it was always the same problem: due to the closed source behaviour, every new iteration required a full reinventing of the wheel. With a fully working and proper CFW source being open, this will improve future CFW development a lot. And killer features like online mode will ensure the PSP stays alive, (even after NGP is out) as a online themed multiplayer portable device, which is fully open and the source viewable by everyone.Wololo: Aren’t you afraid this will also give away some precious information to Sony?Virtuous Flame: It may increase the risk of leaking CFW secrets to Sony etc, but since PSP is dying the risk is mininized.coldbird: Why do you think we timed it like this?

Can you talk about the recent work on “permanent patch” for new PSP models? Don’t you think it’s a bit dangerous to permanently patch unhackable motherboards?

coldbird: Yes, but DA did it too before Pandora was out.Wololo: Wow, that’s true, didn’t even remember that!coldbird: Besides the only danger lies in idiots popping the battery out while flashing.Virtuous Flame: Yes. It’s controlable for now. Now with a bit of work, devs could program tools that would safely go to OFW, recovery mode, etc…

[Note by Wololo: you can follow the ongoing developments of permanemt CFW on unchackable motherboard on our forums here, credits go to kgsws for the initial research :)]

You mentioned it several times in your blog, can you describe in a few words the concept of the Online CFW (CFW PRO-C)? I think everybody’s excited, and would love to know what this will bring to end users

coldbird: xbox live for psps. just free. I’m sure you know xlink kai [Note by wololo: see wikipedia here]. Its a tunneling software, grabbing airwaves and tunneling the ethernet frames over udp to the other peers to “enable online play”. Our online mode does the same, just that it isnt grabbing airwaves, but instead replacing the sony adhoc modules with a identical copy which uses infrastructure to do the tunneling.

Basically it is a adhoc module emulator, providing a copy of the adhoc functions. The game itself will think it operates on adhoc, while it really connects to our master server for peer matching, and then uses peer 2 peer transmissions to contact all the other players necessary for a game.

Ignoring the technical yada yada it allows all psp multiplayer games to play online.

the master server is in fact extremely lightweight, cross plattform compilable, and c++ based. Running on standby, the master server eats less than 5mb memory, with only about 1kb of data in memory for each user connected. Which means that even a lowend vserver with lets say, 128mb ram, can easily house several thousand users.wololo: I’m gonna run my copy of the master server on my PSP coldbird: you will be laughing, but indeed the master server can even run on a psp. Its a cross plattform app which runs fine on psp, linux (32 and 64bit) and windows (only tested on 32bit). The master server operates on tcp connections, while the peers run on udp.

The only important thing bout online mode is to be close to your wifi router, due to the nature of udp not having error correction, and airwaves being unrelyable the distance to the router is important for lagfree gaming

wololo: Ok, now I really can’t wait. This basically means that even when Sony stops supporting the PSP, we will still have a very lively community… I didn’t imagine such a bright future for our beloved console

How many hours did you both roughly spend so far working on CFW PRO?

coldbird: uff…how many hours… we have been working on it for how many months now? 8? 9? several hundred hours – for sure.Virtuous Flame:changeset: 0:8ff166839936date: Fri Jan 07 08:42:22 2011 +0800summary: Add basic framework This is where PRO-A beginscoldbird: that sums up the creation of our repository, but we worked a lot without a dedicated repository before that. That kinda falsifies the results cause most of the time went into early coding, creation of a suitable exploit suite, etc…Virtuous Flame: 2010/11 we created 6.31 hen repoColdbird: well if it has to be hours. the several hundreds should do its job as a answer i think. We didnt really count em but it was a lot

That’s it for this second part of the interview. Last but not least, in the 3rd part, we will discuss the hacking of future firmwares, and the NGP. Stay tuned

Share

wololo

We are constantly looking for guest bloggers at wololo.net. If you like to write, and have a strong interest in the console hacking scene, contact me either with a comment here, or in a PM on /talk!

I don’t see too many differences between a CFW and a LCFW other than to be executed at boot up, so the main diference is the touch of a button. I don’t get the point in endless discussions… What only means is that you can count the really importante features present in every CFW to get your decision.

This interview is better than the first. There is everything: tech aspects, personal thoughts, nice surprises, new features in CFW… it’s simply great. Keep the good work up. Personally, I think that online CFW feature is very original and promising. Along with going open source, CB and VF go in the right direction, I cannot be more according with their thoughts. The scene needs to work together to mantain alive this console, once Sony abandone it. When this happen, the PSP will belong to people and everyone will do whatever they want. A console with games programmed by normal people, with CFW programmed by normal people, supported by normal people, this console will have a great power! The only thing that needs to have is a powerful SDK to make games in the same level as commercial…

Help wololo can you contact coldbird and tell them i need help my email is omarquazi@yahoo.ca and when i ‘m installing the pro b4 i click x the i click it again and nothing happens, not only that the vsh menu dosent even open if i click it and turn my psp on it opens but dosent work please help!

Amazon

Do you shop at Amazon? If you like my work and are an Amazon shopper, please consider using the links below. It won't cost you anything more, and I will get a small percentage of the sales.Thanks for your support!